Introduction to GDPR
Are you a business owner with a functional business entity in the European Union? Do you hire employees who work in the European Union? If yes, this guide will help you determine your data-privacy compliance requirements under the General Data Protection Regulation (GDPR). GDPR has changed how businesses handle personal data and has become crucial to data privacy compliance.
Read along to keep yourself updated on these new changes.
What does GDPR Compliance mean?
GDPR compliance means that a company is following the General Data Protection Regulation (GDPR), which is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
The GDPR aims primarily to give control back to citizens and residents over their personal data and simplify international business’s regulatory environment by unifying the regulation within the EU.
It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018.
The GDPR applies to all organizations that process the personal data of individuals located in the EU, regardless of whether the organization is located in the EU or not. This means that Australian organizations that process the personal data of individuals located in the EU must comply with the GDPR, even if they do not have a physical presence in the EU.
The GDPR sets out a number of requirements for organizations that process personal data, including:
- Obtaining consent from individuals before processing their personal data
- Providing individuals with access to their personal data
- Deleting personal data upon request from individuals
- Reporting data breaches to data protection authorities
Who Needs to Comply with GDPR?
GDPR compliance applies to any organization that processes the personal data of individuals residing in the EU, regardless of the organization’s location.
This includes businesses based outside the EU but offering goods or services to EU residents or monitoring their behaviour. So if you are an Australian business owner but also have employees in the EU or you sell your products to EU residents, you might be required to be GDPR compliant.
How Does GDPR Impact Australian Businesses?
Although Australia has its own data protection laws, GDPR can still impact Australian businesses that handle the personal data of individuals in the EU.
If an Australian business falls under the scope of GDPR, it must comply with its requirements to ensure the protection of EU citizens’ data.
The nature of your business operations, not its size, will determine whether you fall under the data protection regulation or not. When an organisation’s operating activities present a high risk to individuals’ rights and freedoms, they will trigger more stringent rules. Conversely, not all SMEs will be subject to the GDPR obligations in their entirety.
For example, organisations don’t have to keep records of their processing activities when they have less than 250 employees. However, if processing personal data is a regular activity, or the process poses a threat to individuals’ rights and freedoms, then the entity must keep records. This is also the case where the data is sensitive in nature.
Similarly, SMEs are only required to appoint a data protection officer if processing personal data is their main business and poses specific threats to individuals’ freedoms. An example of this involves monitoring individuals or processing sensitive data such as criminal records.
This becomes particularly true when personal data is involved on a large scale. The Office of the Australian Information Commissioner (OAIC) has more detailed information regarding the GDPR if you need more clarity.
Data Concerning Companies
The GDPR exclusively applies to personal data regarding individuals. It doesn’t govern data concerning companies or other legal entities. However, where the information relates to one-person companies such as a sole trader, the rules may still apply. This is an important distinction and will only occur if the personal data in question allows the identification of a natural person.
You can learn more about GDPR’s impact on Australian businesses here.
Key Things To Remember When Implementing GDPR Compliance
To ensure GDPR compliance, adopt a comprehensive approach involving all employees. Increase awareness of data protection and security to foster a sense of responsibility.
Start by identifying potential non-compliance areas using your company’s risk register. Safeguard devices carried by employees and secure the office physically.
Control employee access to data, limiting exit points. Verify GDPR compliance of third-party suppliers and subcontractors. Prompt them to become compliant or consider changing business partners.
Ensure data processing agreements are in place with third-party suppliers, going beyond verbal or written confirmation, to achieve full compliance.
To ensure compliance with GDPR’s accountability principle, it is crucial to understand how customer data flows within your cloud-based company. Maintain records for each data piece, demonstrating the steps taken to comply with data protection principles. Consider the following information:
- Identify company departments.
- Specify the personal data recorded in each department.
- Describe the data processing methods used by each department.
- Assign responsibility for data processing within each department.
- Consolidate this information into a cohesive document and keep it regularly updated to reflect current data handling practices.
In the event of sharing incorrect personal data with another company, it is necessary to notify them promptly to rectify their records.
Review Current Policies and Practices
- How you collect personal data.
- The lawful basis for collecting personal data.
- The purpose for which the personal data will be used.
- The retention period for holding the personal data.
- The rights of your users, including the option to file a complaint with the ICO if dissatisfied with your data handling.
Addressing Individual Rights
Conduct a thorough review of your privacy and data protection policies to ensure compliance with GDPR requirements regarding individuals’ rights. This includes provisions for deleting personal data and providing it electronically in a commonly used format, free of charge.
Under GDPR, individuals have enhanced rights, including the right to:
- Access their information
- Correct mistakes in their data
- Data portability
- Have personal data deleted
- Opt-out of direct marketing
- Avoid automated decision-making and profiling
Consider how your company would handle requests to delete personal data. Assess if your systems allow for locating and deleting data and designate individuals responsible for data-related decisions.
Streamline a Subject Access Request (SAR) procedures for timely and efficient handling:
- Revise procedures to comply with new rules:
- Eliminate fees for SAR compliance in most cases.
- Meet the one-month deadline for SAR response, replacing the previous 40-day timeframe.
- Exercise the right to refuse excessive or baseless requests while providing a clear explanation to individuals and informing them of their right to complain and take legal action within one month.
- Assess capacity to handle SARs within deadlines:
- Evaluate whether your company, especially if large, can manage a high volume of SARs.
- Consider providing additional information within existing systems, such as data retention periods and rectification of inaccuracies.
- Implement practical steps:
- Develop GDPR-compliant response letters to ensure proper addressing of SARs.
- Update SAR policies and procedures to reflect enhanced individual rights, new timescales, and the removal of fees.
- Establish technical processes to expedite personal data processing in the required format.
- Create policies to promptly correct data inaccuracies and procedures to cease processing where applicable.
Explain Legitimate Basis
To ensure GDPR compliance, assess your cloud-hosted company’s data processing activities and determine the legal basis for each. Update your privacy notice accordingly to communicate these changes clearly. When responding to Subject Access Requests (SARs), clearly explain the lawful basis for data processing. Identifying the lawful basis is crucial as it impacts individuals’ rights, such as the right to data deletion, which may be stronger under the basis of consent.
The GDPR obligates cloud-hosted companies to ensure their cookie consent banners are updated with clear and concise language. The banners should include an opt-out button for individuals who choose not to give their consent.
Utilizing automated cookie software can help generate personalized user consent. It is important to review alternative methods for obtaining consent and fresh consent if current practices do not align with GDPR requirements.
Consider implementing age verification systems and obtaining parental/guardian consent when processing children’s data. The GDPR includes specific protections for vulnerable individuals, particularly children, in relation to online services.
If your cloud-based company offers services to children that involve collecting their personal data and require consent, you must obtain verifiable consent from a parent or guardian. The consent should be communicated using language appropriate for children. Children under 16 years of age (under 13 years in the United Kingdom) need consent from a person with parental responsibility.
Ensure proper procedures are in place to detect, report, and investigate personal data breaches. Conduct a GDPR assessment to identify the types of data held and determine which breaches require notification.
Under GDPR, cloud-hosted companies must report specific data breaches to the ICO and, in some cases, to affected individuals. This includes breaches that pose risks to individuals’ rights, such as financial loss, reputation damage, loss of confidentiality, or discrimination.
Notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If there is a high risk to individuals’ rights and freedoms, inform them promptly and without undue delay.
Privacy and Data Protection Mindset
Cloud-hosted companies should prioritize “privacy by design” in their operations. They should conduct Data Protection Impact Assessments (DPIAs) in high-risk situations, such as user profiling or deploying new technologies. GDPR recommends data encryption using pseudonymization or anonymization.
Unnecessary data should be deleted to minimize the volume of data requiring protection, including obsolete data in backups. Data centers should be located in areas with strong data security, such as the US or Europe. Implementing IT measures like double authentication, TLS/SSL certificates, password encryption, and securing employee devices are essential.
Regular vulnerability scans should be conducted on devices, systems, and networks to identify potential security vulnerabilities.
Data Protection Officer
To ensure GDPR compliance, designate a Data Protection Officer (DPO) who will be responsible for data protection. Determine where the DPO fits in your organizational structure and assess if a formal appointment is required.
Under the GDPR, a DPO must be designated if:
- you are a public authority,
- engage in periodic monitoring of large data volumes, or
- process special categories of data on a large scale.
Cloud-hosted companies typically fall under these criteria and should appoint a DPO, who may require training to fulfil their role effectively.
If your cloud-hosted company operates in multiple EU member states or has a single EU establishment that affects EU citizens in other member states, it is important to select a lead data protection supervisory authority and document it, following guidelines from the Article 29 Working Party.
To determine your “main establishment,” identify where your company makes the most significant decisions regarding data processing activities. The supervisory authority at this establishment will serve as the lead authority.
Companies based outside the EU must comply with GDPR requirements if they provide services to EU citizens or monitor behavior occurring within the European Union.
The Difference Between Privacy Policies and Privacy Notices
A privacy notice is a state provided to individuals at the moment of data collection, explaining why their data is being collected, what data is being processed and how it is intended on being used.
How To Complete A Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a process to identify and mitigate privacy risks associated with data processing activities. To complete a DPIA, follow these steps:
- Identify the need for a DPIA: Determine whether the processing activities involve high risks to individuals’ rights and freedoms.
- Describe the processing activities: Document the purpose, nature, and scope of the processing, including the types of personal data involved.
- Assess necessity and proportionality: Evaluate the processing activities’ necessity and ensure they are proportionate to the intended purpose.
- Identify and assess risks: Identify potential risks to individuals’ rights and freedoms, such as unauthorized access, data breaches, or discriminatory effects.
- Mitigate risks: Implement measures to minimize identified risks, such as pseudonymization, encryption, or access controls.
- Seek advice and approval: Consult with the relevant supervisory authority if the DPIA indicates high risks that cannot be mitigated adequately.
How to Get a GDPR Compliance Certificate
Once you have taken all steps to ensure that your company is GDPR compliant, you can seek a GDPR certificate to ensure your employees, investors, and other stakeholders know your commitment to GDPR values. There are a few certification bodies that provide GDPR certifications. Here are some global examples:
- The European Privacy Seal (EuroPriSe): This certification scheme for IT products and IT-based services in Europe verifies compliance with criteria based on the European Data Protection directives (95/46/EC and 2002/58/EC) and the opinions of the Article 29 Working Party.
- TRUSTe: The TRUSTe Certified Privacy seal for US companies operating in the EU demonstrates alignment with the TRUSTe Enterprise Privacy & Data Governance Practices Assessment Criteria. This certification combines various regulatory standards such as the APEC Privacy Framework, ISO 27001, HIPAA, the OECD Privacy Guidelines, and the GDPR.
Similarly, some third parties in Australia also provide similar certificates. SGS is one such body providing GDPR certifications to compliant businesses.
What Is The Maximum Fine for GDPR non-compliance?
The maximum fines for GDPR non-compliance can be up to €20 million or 4% of the global annual turnover, whichever is higher, depending on the severity and nature of the violation.
How Much Does GDPR Compliance Cost?
According to a PwC report, the estimated cost of compliance is expected to exceed $1 million (approximately €900,000). However, there are instances where this amount could be significantly higher.
For instance, 12% of respondents in the report stated their intention to invest over $10 million. Regarding the ongoing expenses of GDPR compliance, the report discovered that 88% of organizations spend more than $1 million, with 40% spending more than $10 million.
GDPR compliance is essential for businesses that handle personal data, even if they are located outside the EU. It can be a complex process, and hiring a qualified lawyer who knows GDPR compliance requirements is highly recommended. You can talk to a lawyer to ensure your business is GDPR compliant.
Get a fixed-fee quote from Australia's largest lawyer marketplace.